Internet threat news

Wikileaks still has not published all of the source code of the CIA zero-day defects that they mentioned a few weeks ago. This is while Julian Assange negotiates with affected hardware and software vendors when to give them this code so they can fix these security weaknesses before Wikileaks publishes all of that. There is some pushback from the vendors who worry about the legal implications of using stolen classified material themselves and some unknown conditions insisted upon by Mr Assange.

Now WikiLeaks has published the second batch of Vaul 7 documents, which they call “Dark Matter.” These detail how the CIA has been hacking iPhones and Macs.

There is not much danger that hackers are going to be able to replicate what the CIA has done as they are using old fashioned spycraft. The CIA has managed to plug itself into the Apple supply chain to physically get their hands on these Apple devices and modify their firmware so that the CIA can use them to spy on their targets. This means they either have someone working with them in the chip manufacturing and distribution process or are attacking these devices in the mails as they are shipped to customers.

On the Mac, the attack is against EFI/UEFI. This is also called bios. This is the hardware part of the boot up process that loads before OS X loads. Even if a Mac user suspects that their device has been infected, if they wipe the device or upgrade the OS they cannot eliminate the firmware, because it is built into the CPU.  That is the same for the iPhone.

Unlike the first publication of CIA documents, this time we have complete instruction manuals for the Sonic Screwdriver, DerStarke, Triton, and DarkSeaSkies exploits published online, as web pages and PDFs.

A watering hole attack is one way that hackers can go after an individual organization or type of organization. Unlike a phishing attack it is designed to infect websites that people are known to frequent based upon where they work. For example, they could infect the website of a delivery pizza service near the bank or another intended target. Or they could infect a website that lawyers might frequent, like the county civil court. A watering hole attack too can work when phishing is not working, because employees have been carefully trained to look out for that.

The watering hole principle is target to the weakest link, an approach that has been shown to work in cyber or any kind of attack. The term “watering hole” means a bar people frequent as well as a source of water where animals can drink.

If the target is a bank - who presumably has the best security available - then one way to attack the bank is to attack websites bank employees use. Then they can download malware onto the employee’s computer and proceed to attack other computers and networks from there.

In Outside the Closed World: On Using Machine Learning for Network Intrusion Detection the authors write: "In network intrusion detection research, one popular strategy for finding attacks is monitoring a network's activity for anomalies: deviations from profiles of normality previously learned from benign traffic, typically identified using tools borrowed from the machine learning community. However, despite extensive academic research one finds a striking gap in terms of actual deployments of such systems: compared with other intrusion detection approaches, machine learning is rarely employed in operational "real world" settings."

This paragraph points out the problem of using intrusion detection, anti-malware, anti-spam, and firewalls by themselves to protect one’s infrastructure “despite extensive academic research” and given the availability of machine language tools.

A security researcher at Google was doing security research when he noticed that data coming from CloudFlare included passwords and other private data. He conferred with his colleges who confirmed the problem. Then he quickly got on Twitter and sent an urgent message to CloudFlare asking them to contact him right away.

The media was quick to proclaim this another HeartBleed bug and sounded the alarm.

CloudFlare is a Content Distribution Network (CDN) used by such mega companies as Uber. Many smaller companies use it too. What CloudFlare does is route web traffic through its global network thus bringing the web pages closer to its users and reducing latency. In other words it makes web pages load faster in, say, Germany than having to make the round trip to Silicon Valley. That shaves as much as 500 milliseconds (½ second) off the load time.

This episode was an embarrassment for CloudFlare. The data that was leaked included instant messages from dating websites like OKCupid. It also included cookies, encryption keys, and authentication tokens.

The Deep Web is that part of the internet where hackers sell exploit kits and stolen data. Such sites are often hard to find. Many require an invitation from someone else to join. Some, like AlphaBay, hide behind the Tor network.

TrendLabs Security reports that data stolen from US hospitals is showing up on markets there. Prices range from $1 for a patient profile to $500,000 for a complete database.

This data has value on several fronts. This data has lasting value because it includes Social Security numbers, which, unlike credit card numbers, is something that people cannot change. It is also harder to obtain since retailer databases do not store those. Thieves can sometimes use prescription information to obtain controlled substances dispensed using the mails. But more valuable is the personally identifiable information (PII) which can be used for identity theft. This includes making fake tax returns and then applying for a refund from the government under that person’s name. They can also make fake claims to an insurance company for reimbursement. And they can create identities for criminals on the run, terrorists, or whoever by using the data of people who are deceased. That is called a farmed identity and sells for about $1,000.

The massive DDOS attack on the Akamai CDN (content distribution network) that last year took down Netflix, Amazon, and others because of compromised IP cameras that were using a default password shined the spotlight on IoT security. In particular, there is the concern about attacks on heavy industrial machinery, valves, gas pipelines, turbines, electric grids, etc. and other equipment. Many if not most of these use the ModBus protocol to communicate between PLC and SCADA devices, which control this equipment. ModBus has no authentic at all and transmits its data in clear text.

Most industrial machines do not have a public IP address. Ethernet does not even work throughout all of the plant as part of the industrial network is serial and other protocols that a hacker could not attack using tools written for Linux or Windows.

But there are many devices exposed to the internet. Here is via a Shodan query a list of wind turbines on the internet, for example. And here are devices that have “ics” somewhere in their name.

The most famous of all industrial ICS hacking was the Stuxnet worm launched by the USA and Israel against Iran’s nuclear fuel enrichment program. By hacking PLC controllers the spies were able to cause expensive centrifuges used to separate fuel to rotate at such high speed that they broke.

As we have said before, it seems hardly a week goes by without an announcement of another security weakness found in Adobe Flash. This week we discuss two.

HTML5 was supposed to replace Adobe Flash. The goal was to have a standard that browser designers could use to process video without having to rely on 3rd-party software for that. But for different reasons, most sites still use Flash. Steve Jobs at Apple famously wrote in 2010 that he would not allow Flash onto the iPhone or iPad. He later backtracked, in part because of the threat of anti-competitive litigation. Plus website owners whose videos would no longer work complained in large numbers.

The Flash Player is built into most browsers. For example in Google Chrome you can type chrome://plugins/ and you will see something like:

Adobe Flash Player - Version: 24.0.0.194
Shockwave Flash 24.0 r0

The two new exploits are CVE-2016-4117 Flash Zero-Day Exploited in the Wild and CVE-2016-1019 A New Flash Exploit Included in Magnitude Exploit Kit, reports FireEye. Those vulnerabilities are in version 21.0.0.216 and and 21.0.0.197 and older. They have been fixed by Adobe.

Adobe thanked the security researcher @kafeine for finding the second one. It is related to some of the hacking techniques leaked to WikiPedia by The Italian Team, author of million dollar exploits sold to governments and others.

Metasploit is a tool that white hat hackers use to do penetration testing. No doubt criminals use it too.

What Metasploit does is take exploits gathered by thousands of contributors and package them into scripts and a command line and web interface so that security admins and analysts can test if any of the computers on their network are subject to any known vulnerabilities. If they are then they need to be patched against that vulnerability.

The product is open-sourced, Metasploit says, but you still have to pay for it. You can download the Community Edition and use that free for 1 year. The Professional version is free for 14 days.  Both are open-sourced in that anyone can write code that exploits a vulnerability and then contribute that to Metasploit.

To get you started with learning this tool, Metasploit provides a virtual machine called Metasploitable that you can run with VMWare or VirtualBox. This is an Ubuntu VM that has been deliberately loaded up with security flaws, such as out-dated versions of software and misconfigured software and using default passwords that Metasploit can guess.

You download and install Metasploit. Then it sets up a web interface. But that is mainly useful for scanning hosts. It’s easier to run exploits from the command line. On Ubuntu, that is /opt/metasploit/msfpro. The name is “pro” even for the Community Edition. You have to remember to run this with sudo privileges or it will throw an error.

Microsoft publishes security bulletins and advisories here. Those warn of vulnerabilities in Microsoft products.  You can sign up for updates via RSS or email here. They say:

“To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release.”

Microsoft says that Security Advisories flag security problems with Microsoft products. They are released as issues are found. Security Bulletins are issued monthly as a update for the issues found that month. The Advisory updates only the component mentioned in the Advisory.  Bulletins update the whole OS or a packaged bundle, like the .Net runtime. Advisories are targeted to programmers who can update the single subroutine mentioned in the advisory. So it is a way to issue the fix ahead of the bulletin. But it is not always going to help people who are using apps written by 3rd parties until the 3rd parties update those. Microsoft keeps older versions of its run-time components in Windows to support apps that have not been updated to use the newer components.

A group of hackers known as Carbank, who in 2015 stole an incredible $1 billion USD from banks, have been again using RTF documents with embedded OLE objects to plant malware on computers. They send these documents in emails using phishing attacks. Then they use Google services on the machine to plant further instructions.
   
OLE is an object (Object Linking and Embedding) in old Microsoft technology, still in use, that lets programmers create objects with relative ease, like push buttons, drop box lists, or to execute code that they wrote themselves in Visual Basic.

Visual Basic has been in Microsoft Windows and DOS since Bill Gates and some other people wrote that when Gates was in Harvard. Visual Basic is one of the easiest languages to code.  But it is dangerous, since it can access low level functions, like copying files.

VB in a spreadsheet is similar to a Macro, except VB is a full programming language. Macros just do simple steps. For example, with OLE, users of any Microsoft Office product can put buttons on screens in Microsoft Excel or Microsoft Access and then they can write their own VB code and attach it to those buttons or kick it off automatically when those docs are loaded.

The Tor browser is a tool used by Edward Snowden, journalists, US government workers traveling overseas, terrorists, criminals, pedophiles, and people downloading movies and doing chat to protect their IP address from discovery. But recently there was a zero day defect that unmasked the identity of whoever was using it. So Tor has hardened its browser against that.   Here we given an overview of that.

The hardened Alpha version of Tor is here. You have to build that one from source code. The production version is here. Just download that one to use it.

Using Tor to Hide Your IP Address
When you visit a web set, you transmit your IP address to that site. That is necessary so that the website knows where to send the page you requested.

Tor, is opensource software that lets you mask your IP address. Tor, ironically, was developed with American Department of Defense funding. This is ironic because now their enemies are using it.

The drama, some might say circus, keeps unfolding around the Russian spying on the US election. What is remarkable is that President-elect Trump is at odds with the security apparatus he will soon inherit. He is saying he does not agree that the Russian government did the hacking. The US intelligence agencies say they have proof they did. Trump is also at odds with members of his own Republican Party. And the former head of the CIA under Bill Clinton, who had become a security advisor to Trump, quit, saying that he was not even invited to meetings where this subject was discussed.

The NSA says they have definitive proof of where the spying came from. Last week we wrote about the technical analysis the NSA provided on our website here. But what is less clear is whether this spying was directed by top Russian officials or President Putin himself.

Obama has already seen and Trump will see this week classified information that the NSA will not show the public. That information, it is said, reveals two items. First, Russians sent communications back to their country celebrating Trump’s win.  Second, they say they have proof that Russian officials provided the stolen documents to Wikileaks, a charge Julian Assange denies. They even know their names.  It is not clear what proof those documents contain that could show that President Putin or the people around him directed the spying.

The Department of Homeland Security and FBI Have released technical details of the hacking of the Democrat Party and Clinton Campaign that they first described in this document in October. As President Obama promised, the government has released proof that this hacking came from Russian intelligence agencies. Now he has punished them by expelling 35 spies and putting banking and travel sanctions on certain Russians. Americans have a unique ability to effectively punish people around the world that way, since most international commerce uses American dollars and some part of the US banking infrastructure.

Obama also promised that any technical analysis would not reveal all the details of how they uncovered what the Russians did, saying that would give away secret techniques. Instead the document includes a list of malware, exploit kits, viruses, domains, techniques, and IP addresses used by the Russians. The document also gives advice how system administrators can help secure their network against these attacks.

It seems hackers also go after people who are supposed to be educated about the dangers of phishing: tech professionals.

Last week I updated the DNS records for my personal email domain. So I was easily tricked when a few hours later I got this email that looks very much like it came from Google support. Luckily this was a harmless ad rotator and not malware. Or it could be that this switched to an ad rotator when it queried my browser and OS and found no match for whatever attack they had planned.